Steps to reproduce (preferably on a non-public wiki):
Change the Label of any Item used as a Badge (see Special:AvailableBadges) from something like Good Article to Good Article" style="display:none".
⇒ The badge is no longer visible on any Items that use it. (might need a purge or resetting the badge though)
This might leak personal data (IP-Address) to a third party by using it with a Label like Good Article" style="background-image: url(https://evil.attacker.com/transparent_pixel.png)"
As far as I know, this is not currently being exploited. Also, injecting scripts is probably not possible, because <, > and such are being escaped. Injecting scripts is possible via e.g. onclick="alert(1)".